Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: secure software engineering methodology

Re: secure software engineering methodology

From: Alex Russell <alex_at_netWindows.org>
Date: Mon, 22 Mar 2004 17:43:34 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 22 March 2004 5:37 am, Mads Rasmussen wrote:
> Do any of you have any experience with methodologies for software
> engineering of secure software?
>
> If you read the book "building secure software" by John Viega and
> Gary McGraw it says that extreme programming isn't good for
> security projects.

I would agree with that assessment. In fact, I would go so far as to
say that there are only a small subset of projects for which many of
the XP concepts are helpful or applicable. These projects tend to
share ALL the following criteria:
        - tightly defined or defineable goal
        - no scope drift
        - low risk tollerance
        - high time-to-market pressure
        - static project resources
        - established product or market

> I was considering applying RUP, the Rational Unified Process, but I
> think that it must be customized to consider security aspects.

Given my experience with RUP inside organizations of varying size, I'm
going to further extend my body onto a shaky limb and assert that no
one really uses it. The furthest most organizations go is to use the
templates that Rational/IBM produces, but that's about it. RUP (IMO)
is more about saying that you're following a methodology and being
able to use a trendier phrase than "source control" for marketing
purposes.

Of course, I would love to be wrong about this. Anyone actually
_using_ the WHOLE RUP process?

> If you search papers by Matt Bishop [1], Edward Amoroso [2] and
> several others you will only find bits and pieces. Non of them
> refer to a specific methodology, some tries to fit the Common
> Criteria [3] into the development process.

Common Criteria is backward-looking and does not make demands about
design or process, only that you have both and that you be able to
tell someone else what they are and demonstrate that you followed
them and that you were supposed to hit those targets in the first
place. It's like the iso9001 of software: you agree to tell someone
exactly what you're doing and what's wrong with it, proove it, and
then never change it. Therefore mapping to it is a documentation
exercise.

This is, of course, a gross over-simplification and premature
dismissal of CC, but it'll do for this discussion.

Regards

- --
Alex Russell
alex_at_burstlib.org BD10 7AFC 87F6 63F9 1691 83FA 9884 3A15 AFC9 61B7
alex_at_netWindows.org F687 1964 1EF6 453E 9BD0 5148 A15D 1D43 AB92 9A46
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAX5ZGoV0dQ6uSmkYRAmRsAJ4sND6Fgag/QQiUOiJUjKgIG7C1qQCcD7bi
VwTqpjRlrkfnQJLdftq5omM=
=QxSX
-----END PGP SIGNATURE-----
Received on Mar 23 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos